Privacy Policy

Last updated: June 2026

Introduction

This Privacy Policy explains how Tomasz Zylka, sole proprietor trading as Tomasz Zylka Veinito.com ("we", "us", "our"), the operator of ClassKasa, collects, uses, and protects your personal data when you use our service. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

Data Controller

The data controller responsible for your personal data is: Tomasz Zylka, sole proprietor trading as Tomasz Zylka Veinito.com, Bierzycka 8, 51-179 Wroclaw, Poland. NIP: PL6452337008, REGON: 521704806. For any privacy-related inquiries, contact us at tomek@classkasa.com.

Data Protection Officer

We have not appointed a Data Protection Officer (DPO) as we are not required to do so under Art. 37 GDPR. For all data protection matters, please contact: tomek@classkasa.com.

Data We Collect

We collect the following personal data to provide and improve our service:

Email address (for authentication via magic links)
Your name (displayed to class members)

AI Document Analysis (Bank Statement Reconciliation)

If you use the Bank Statement Reconciliation feature (available to ClassKasa Premium subscribers), you may upload bank statement files (PDF or images) for automated transaction extraction. The following describes how we process this data:

Uploaded documents: bank statement files (PDF or image format) containing transaction details, account holder names, IBANs, account numbers, transaction descriptions, and amounts.
Extracted transaction data: transaction descriptions, amounts, dates, and sender/recipient names parsed from the uploaded document by AI analysis.
Bank statements may contain personal data (PII) including sender names, IBANs, account numbers, and transaction descriptions that reference individuals.

Lawful basis: Art. 6(1)(b) GDPR - processing is necessary for the performance of the contract (your ClassKasa Premium subscription). You initiate each scan by uploading a document and explicitly approving extracted results before any payment records are updated.

AI sub-processor: Uploaded documents are sent to Anthropic, PBC (San Francisco, USA) via its API for transaction extraction using the Claude language model. Anthropic processes the data solely to return results to ClassKasa and does not use API inputs to train its models. Transfer basis: Standard Contractual Clauses (SCCs). See the Sub-processors section for details.

Temporary file storage: Uploaded files are temporarily stored in Netlify Blobs (EU region) during processing. Original files are deleted immediately after AI analysis is complete. ClassKasa does not retain copies of your uploaded bank statements.

Data retention: Original uploaded files are deleted immediately after processing. Extracted transaction metadata (descriptions, amounts, dates, matched payment records) is retained as part of your class audit trail for the lifetime of the collection. You may request erasure of extracted data by contacting tomek@classkasa.com.

Your rights: You have the right to access, rectify, or request erasure of AI-extracted transaction data under Articles 15-17 GDPR. You may also object to AI processing under Art. 21 GDPR. Because the treasurer must explicitly approve all AI-suggested matches before records are updated, no automated decision-making within the meaning of Art. 22 GDPR takes place.

Privacy Policy

Introduction

Data Controller

Data Protection Officer

Data We Collect

AI Document Analysis (Bank Statement Reconciliation)

Ambassador Program data

Purposes and Legal Basis

Information for Parents Added by Treasurers (Art. 14 GDPR)

Joint Controllership (Art. 26 GDPR)

Data Retention

Sub-processors

Your Rights

How to Exercise Your Rights

Supervisory Authority

Data Breach Notification

Children's Data

Cookies

International Data Transfers

Contact Us

Advertising & analytics partners